Last active
July 20, 2021 15:30
-
-
Save talkingmoose/7f3d4b75c22e21332a11117937765247 to your computer and use it in GitHub Desktop.
Generate a randome EFI firmware password for each Mac and store in Jamf Pro. Note: This will be completely visible to all Jamf Pro users whose permissions allow access to Computers. Create an extension attritute with the first script.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| function logresult() { | |
| if [ $? = "0" ] ; then | |
| echo "$1" | |
| else | |
| echo "$2" | |
| exit 1 | |
| fi | |
| } | |
| # verify whether a firmware password is set | |
| echo "Checking for existing firmware password" | |
| checkFirmwarePassword=$( /usr/sbin/firmwarepasswd -check ) | |
| # if a firmware password is already set, stop the script and report failure in Jamf Pro | |
| if [ "$checkFirmwarePassword" != "Password Enabled: No" ] | [ -d /private/tmp/.fp ]; then | |
| echo "A firmware password is already set. Doing nothing." | |
| exit 0 | |
| else | |
| echo "No firmware password set" | |
| fi | |
| # create obscure directory | |
| fpdirectory="/private/var/.fp" | |
| /bin/mkdir -p "$fpdirectory" | |
| logresult "Creating \"$fpdirectory\" directory" "Failed creating \"$fpdirectory\" directory" | |
| # generate random password | |
| randpassword=$( /usr/bin/openssl rand -hex 6 ) | |
| logresult "Generating 8-character firmware passcode: $randpassword" "Failed generating 8-character firmware passcode." | |
| # write random password to temporary file | |
| /usr/bin/touch "$fpdirectory/$randpassword" | |
| logresult "Writing password to file \"$fpdirectory/$randpassword\"" "Failed writing password to file \"$fpdirectory/$randpassword\"" | |
| # update Jamf Pro computer record with firmware password and set only if inventory was updated | |
| /usr/local/bin/jamf recon && /usr/local/bin/jamf setOFP -mode command -password "$randpassword" | |
| # set the firmware password only after a successful inventory update to Jamf Pro | |
| if [ $? = "0" ]; then | |
| echo "Updating Jamf Pro inventory to upload firmware password" | |
| echo "Setting firmware password" | |
| exit 0 | |
| else | |
| echo "Failed setting firmware password" | |
| exit 1 | |
| fi |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| echo "<result>$( ls /private/var/.fp )</result>" | |
| exit 0 |
:/ you're right, I remembered wrong; dropping link in case it helps anyone else in the future.
https://mrmacintosh.com/how-to-remove-mac-firmware-password-new-way-if-you-have-a-2018-2020-t2-mac/
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@dev-yeet thank you very much for the tip. I needed to go to the restore step. But now I don't EFI password anymore.